Sunday, 14 May 2017

WannaCry ransomeware attacks, how to prevent it?

WannaCry has spread to Malaysia; two companies here were stricken by the ransomware virus that has infected a massive number of computers across the globe since Friday. Hackers use the virus to hold a victim’s data to ransom – pay up or lose all your information – and the victims overseas include hospital networks, businesses and government agencies.

PETALING JAYA: All governmental agencies have been told of the WannaCry ransomware outbreak and have armoured themselves against attacks.

“All government agencies at federal and state level have been alerted and ensured that their computers have been patched accordingly,” said CyberSecurity CEO Datuk Dr Amirudin Abdul Wahab.

Dr Amirudin said the WannaCry ransomware exploited vulnerabilities of the Windows operating system, especially on Windows XP which has stopped receiving updates since 2014.

“The malware exploits a flaw in the network protocol called the Server Message Block. Unlike former malware cases which is localised to a single computer, WannaCry exploits the operating system’s vulnerabilities and spreads it across PCs in the network.

“This is why it spread at such speed and range. Realising this, Microsoft came out with the MS17010 patch to stop this particular malware from working and spreading,” he said in a phone interview.

The patch was first rolled out in March this year but was not available to Windows XP, Windows 9 and Windows 2003 until May 12, after WannaCry’s outbreak.

According to the Microsoft Security Response Centre, Windows 10 users were not targeted by the attack.

To protect themselves against any malware attack, computer users were urged to back up their files, avoid clicking on suspicious links online or download attachments in e-mail messages sent by strangers.

“Apart from preventive measures, if you think you have been infected by the malware, please report to us at cyber999@cybersecurity.my or call us at 1300-882999,” he said.

In response to a question, Dr Amirudin said it was not an obligation under the law for anyone to report any security breach.

“It is not mandatory in Malaysia, unlike in some other countries,” he lamented, pointing out that when people made a report to CyberSecurity, their confidentiality would be paramount.

“We can also provide assistance,” Dr Amirudin added.

As of 6pm yesterday, CyberSecurity has yet to receive any report on infected computers in Malaysia.

“It does not mean that infection will not happen. At present, however, the situation is manageable and under control and we are always on the alert,” he said.

When contacted, the Malaysian Communications and Multimedia Commission and CyberSecurity Malaysia also said they had not received any report of a WannaCry infection in Malaysia.

It demands payment in three days or the price is doubled, and if none is received in seven days the files will be deleted, according to the screen message.

“Ransomware becomes particularly nasty when it infects institutions like hospitals, where it can put people’s lives in danger,” said Kroustek, the Avast analyst.

A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, Kaspersky said.

Although Microsoft released a security patch for the flaw earlier this year, many systems have yet to be updated, researchers said.

“Unlike most other attacks, this malware is spreading primarily by direct infection from machine to machine on local networks, rather than purely by email,” said Lance Cottrell, chief scientist at the US technology group Ntrepid.

Some said the attacks highlighted the need for agencies like the NSA to disclose security flaws so they can be patched.

G7 finance ministers meeting in Italy discussed the attacks and were expected to commit to stepping up international cooperation against a growing threat to their economies. — AFP

Massive Ransomware Attack Hits 99 Countries

PHILADELPHIA (CNN)–Tens of thousands of ransomware attacks are targeting organizations around the world on Friday.

Cybersecurity firm Avast said it has tracked more than 75,000 attacks in 99 countries. It said the majority of the attacks targeted Russia, Ukraine and Taiwan.

What is it?

The ransomware locks down all the files on an infected computer and asks the computer’s administrator to pay in order to regain control of them.

The ransomware, called “WannaCry,” is spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. But computers and networks that haven’t updated their systems are at risk. The exploit was leaked last month as part of a trove of NSA spy tools.

“Affected machines have six hours to pay up and every few hours the ransom goes up,” said Kurt Baumgartner, the principal security researcher at security firm Kaspersky Lab. “Most folks that have paid up appear to have paid the initial $300 in the first few hours.”

Sixteen National Health Service (NHS) organizations in the UK have been hit, and some of those hospitals have canceled outpatient appointments and told people to avoid emergency departments if possible. Spanish telecom company Telefónica was also hit with the ransomware.

Spanish authorities confirmed the ransomware is spreading through the vulnerability, called “EternalBlue,” and advised people to patch.

“It is going to spread far and wide within the internal systems of organizations — this is turning into the biggest cybersecurity incident I’ve ever seen,” UK-based security architect Kevin Beaumont said.

Russia’s Interior Ministry released a statement acknowledging a ransomware attack on its computers, adding that less than 1% of computers were affected, and that the virus is now “localized.” The statement said antivirus systems are working to destroy it.

Megafon, a Russian telecommunications company, was also hit by the attack. Spokesman Petr Lidov told CNN that it affected call centers but not the company’s networks. He said the situation is now under control.

“We encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school,” the U.S. Department of Homeland Security said in a statement released late Friday. “We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally.”

Kaspersky Lab says although the WannaCry ransomware can infect computers even without the vulnerability, EternalBlue is “the most significant factor” in the global outbreak.

How to prevent it

Beaumont examined a sample of the ransomware used to target NHS and confirmed it was the same used to target Telefónica. He said companies can apply the patch released in March to all systems to prevent WannaCry infections. Although it won’t do any good for machines that have already been hit.

He said it’s likely the ransomware will spread to U.S. firms too. The ransomware is automatically scanning for computers it can infect whenever it loads itself onto a new machine. It can infect other computers on the same wireless network.

“It has a ‘hunter’ module, which seeks out PCs on internal networks,” Beaumont said. “So, for example, if your laptop is infected and you went to a coffee shop, it would spread to PCs at the coffee shop. From there, to other companies.”

According to Matthew Hickey, founder of the security firm Hacker House, Friday’s attack is not surprising, and it shows many organizations do not apply updates in a timely fashion. When CNNTech first reported the Microsoft vulnerabilities leaked in April, Hickey said they were the “most damaging” he’d seen in several years, and warned that businesses would be most at risk.

Consumers who have up-to-date software are protected from this ransomware. Here’s how to turn automatic updates on.

It’s not the first time hackers have used the leaked NSA tools to infect computers. Soon after the leak, hackers infected thousands of vulnerable machines with a backdoor called DOUBLEPULSAR.

WannaCry strikes two Malaysian companies

PETALING JAYA: Two local companies have been hit by the infamous WannaCry ransomware, three days after the malicious software was released, infecting 200,000 computers in 150 countries so far.

According to IT security services company LGMS, the first case in Malaysia involved a director of one of its clients who came across the dreaded ransomware on his personal laptop on Saturday morning.

LGMS founder C.F. Fong said the data in the laptop had to be erased as the person did not intend to pay the US$300 (RM1,300) ransom.

The same ransomware appeared in the machine of an automotive shop on Sunday morning.

“The company didn’t have any backup and might pay (the ransom),” said Fong.

Besides disconnecting compu­ters from the network, there was not much else they could do, he noted.

As of 3pm yesterday, a website tracking incidences of WannaCry infections started showing blips in the Klang Valley area.

The website displays a blip whenever an infected computer pings its tracking servers, thus allowing it to map out a geographical distribution of the WannaCry infection.

Fong added that any machine infected by WannaCry should not be connected to a public or cor­­porate network.

“Once you plug into any network, it will start spreading,” he pointed out.

Fong said none of LGMS’ clients, which include major banks in Malaysia, had reported any pro­blems so far, adding that he was quite confident that those who re­gularly updated their computers would not face any problems with WannaCry.

He said ransomware was not new but WannaCry had caused worldwide alarm because of how fast it was spreading.

“We have seen worse and devastating ransomware attacks before but WannaCry’s infection rate is one of the fastest ever as it exploits the vulnerability that exists in Windows,” Fong said.

Security companies all over the world are reporting an unprecedented wave of WannaCry ransomware infections since Friday when more than 150 countries were hit by it.

The ransomware encrypts the data on an infected computer, preventing users from accessing it.

According to a report in The Guardian, the ransomware uses a vulnerability first revealed as part of a leaked stash of NSA-related documents, which infects machines running Windows and encrypts their contents before demanding a ransom to decrypt these files.

The perpetrators promise to release the data once a ransom of US$300 (RM1,300) is paid.

In just two days, computer networks of Britain’s National Health Service, Russia’s interior ministry and international shipper FedEx, among others, were affected.

The website tracking incidences of WannaCry infections was created by a 22-year-old British re­sear­cher known only as MalwareTech, who was credited with being an “accidental hero” after discovering a “kill switch” that halted WannaCry’s outbreak.